Efficient and Verifiable Range Query Scheme for Encrypted Geographical Information in Untrusted Cloud Environments

Abstract

With the rapid development of geo-positioning technologies, location-based services have become increasingly widespread. In the field of location-based services, range queries on geographical data have emerged as an important research topic, attracting significant attention from academia and industry. In many applications, data owners choose to outsource their geographical data and range query tasks to cloud servers to alleviate the burden of local data storage and computation. However, this outsourcing presents many security challenges. These challenges include adversaries analyzing outsourced geographical data and query requests to obtain privacy information, untrusted cloud servers selectively querying a portion of the outsourced data to conserve computational resources, returning incorrect search results to data users, and even illegally modifying the outsourced geographical data, etc. To address these security concerns and provide reliable services to data owners and data users, this paper proposes an efficient and verifiable range query scheme (EVRQ) for encrypted geographical information in untrusted cloud environments. EVRQ is constructed based on a map region tree, 0–1 encoding, hash function, Bloom filter, and cryptographic multiset accumulator. Extensive experimental evaluations demonstrate the efficiency of EVRQ, and a comprehensive analysis confirms the security of EVRQ.

1. Introduction

In recent years, due to the rapid development of the Internet of Things (IoT) and precise positioning technologies (such as the Global Positioning System, GPS), Location-based Services (LBS) and the corresponding applications have become prevalent and widely used [1,2,3]. In the traditional model of LBS, the data owners, who are the location service providers, store the geographical data locally. Data users send query requests to the data owners, who process these queries over the geographical data locally and then return the query results to the data users. However, as cloud computing becomes increasingly mature, an increasing number of data owners are choosing to outsource their location data to cloud servers. This allows them to take full advantage of various benefits provided by cloud computing, such as improved reliability, enhanced flexibility, accelerated deployment, and so on [4,5]. In this new cloud-based model of LBS, the data owners outsource their geographical data to the cloud servers, and the data users send query requests to the cloud servers. The cloud servers execute the query requests from the data users and then return the query results to them.

However, in this new cloud based model of LBS, the geographical data stored in the cloud server are not directly controlled by the data owners, and the query requests from data users are processed by the cloud server. As a result, both the geographical data in the cloud server and the query requests of data users are vulnerable to various security threats [6]. These threats have the potential to pose significant risks to people’s safety and property. For example, attackers may try to steal and analyze the geographical data stored in cloud servers and then infer the privacy information, such as users’ movements, home addresses, and other personal information. Untrusted cloud servers may selectively query a portion of the geographical data to save computational resources. Untrusted cloud servers may provide incorrect query results to mislead data users, and then gather information about the wrong location for specific purposes. In some cases, untrusted cloud servers may even illegally modify the outsourced geographical data.

To address the security and privacy concerns of geographical information in an untrusted cloud environment, a straightforward and effective approach is to encrypt the geographical data prior to outsourcing them to the cloud server [7]. Traditional encryption methods (such as block encryption) are effective in securing geographical data stored in cloud servers. However, they do not facilitate range query over ciphertexts or provide verification for the correctness of query results or the integrity of the query process. Therefore, in the cloud-based model of LBS, simultaneously ensuring the security of geographical data in the cloud server, preserving the query privacy of data users, enabling efficient and effective data retrieval, and providing verification for the correctness of query results and the integrity of the query process have become a challenging task [8,9].

Currently, methods available for addressing the aforementioned issues include order-preserving encryption methods [10,11,12,13,14,15], bucketization methods [16,17,18,19,20,21,22], and public key encryption methods [23,24,25,26]. Order-preserving encryption methods can support efficient query on the ciphertexts of geographical data. However, these methods have a security drawback as they leak the order information between ciphertexts. Then, attackers can infer the plaintexts underlying ciphertexts by using the leaked order information. To protect the order information between ciphertexts, bucketization methods encrypt and retrieve data within a bucket as a whole. Consequently, bucketization methods do not support accurate ciphertext queries. Public key-based encryption methods can provide strict security and accurate query results. However, due to the computational complexity of the public key encryption methods, the efficiency is often compromised. Therefore, using public key encryption methods in LBS can adversely affect users’ experience. For example, in a high-speed moving vehicle, untimely query results from the cloud server may cause data users to miss the nearest destination.

In this paper, we propose an efficient and verifiable range query scheme (EVRQ) for encrypted geographical information in untrusted cloud environments. In our scheme, we propose a method for dividing map regions (MRs) level by level according to the distribution of points of interest (POIs). In the EVRQ scheme, different MRs at the same level contain the same (or similar) number of POIs, and attackers are unable to distinguish between different MRs at the same level according to the density distribution of POIs. The data owner constructs a map region tree (MRT). In the MRT, the nodes at the same level are associated with the MRs, which are also at the same level. Then, the data owner builds an MRT index by using the MRT, 0–1 encoding, hash function, Bloom filter, and cryptographic multiset accumulator techniques. Next, the data owner encrypts POIs. Finally, the data owner outsources the ciphertexts of POIs and MRT index to the cloud server. The data user processes their queried range by using 0–1 encoding and hash function techniques to generate a query token and sends the query token to the cloud server. The cloud server compares the query token with the nodes of the MRT index in a top–down manner and then returns the retrieved ciphertexts of POIs to the data user as the query results. The data user can also request relevant information from the cloud server to verify the correctness of the query results and the integrity of the query process. The contributions of this paper are as follows:

• We propose a division method for MRs and then build an MRT index. In the MRT index, POIs are evenly distributed. Attackers (including untrusted cloud servers) cannot infer the query privacy of the data user by observing the data user’s query process and analyzing the density distribution of POIs.
• We propose an efficient range query scheme on the MRT index, which can efficiently verify the correctness of the query results and the entirety of the query process by combining Bloom filter, hash calculation, and cryptographic multiset accumulator techniques.
• We conducted extensive experiments to evaluate the performance of EVRQ. The experimental results demonstrate the efficiency of the EVRQ scheme. Additionally, we provide a detailed analysis of the correctness and the security of the EVRQ scheme.

2. Related Work

Order-preserving encryption (OPE) methods [10,11] support efficient comparison between ciphertexts due to the preservation of the order information within the ciphertexts. Boldyreva et al. introduced a weaker security definition known as random order preserving function (ROPF) security, which requires that the ciphertext cannot be distinguished from the function value generated by a randomly generated incremental function. Moreover, they developed the BCLO scheme, the first OPE scheme that can be proven to be secure. Subsequently, there have been ongoing efforts [12,13,14,15] aimed at improving the efficiency and security of the BCLO scheme. The majority of existing OPE methods only consider comparisons between ciphertexts of single-dimensional data. As the geographical data usually have multiple dimensions, these OPE methods are not suitable to process the geographical data. Recently, Zhan et al. [27] proposed an OPE method to support efficient range query over the ciphertexts of multi-dimensional data. However, as the order information is not protected in these OPE methods, attackers can analyze the order information of the ciphertexts and then infer the underlying plaintexts [7]. Thus, the security of OPE methods is not very high.

Bucketizaion methods [16,17] have been proposed to protect the order information of the ciphertexts and support efficient queries over ciphertexts. In a bucketizaion method, all the data are partitioned into multiple buckets. Then, the entire data within each bucket are encrypted as a unit. During the query process, if there are any data in a bucket that match the query request, all the ciphertexts within that bucket will be returned as the query results. Many researchers have proposed different approaches to optimize bucketization methods. Lee et al. [19] sorted all the buckets in an ordered manner to improve the search efficiency over buckets. Wang et al. [18] organized all the buckets together using an R-tree and applied the asymmetric scalar product preserving encryption (ASPE) [28] to encrypt the nodes of the R-tree nodes. As ASPE ensures the security of the information stored in the R-tree nodes and supports ciphertext comparisons, Wang’s method can support efficient ciphertext retrieval. Since then, many bucketization methods [20,21,22] have been proposed to solve the issue of ciphertext query in cloud servers. However, the bucketization methods have a common drawback: if a bucket contains any data that satisfy a query request, all the ciphertexts within that bucket will be returned as the query results. Therefore, the query results are not accurate.

Public key-based encryption methods [23,24,25,26] have been proposed to support accurate queries over ciphertexts. Shi et al. [24] organized all the multi-dimensional data by utilizing several interval trees. Both multi-dimensional data and multi-dimensional queried range are identified by the node identifications (IDs) in these interval trees. Thus, these node IDs are embedded in the ciphertexts of multi-dimensional data and the query tokens of queried ranges. During the query process, if the IDs in the search token of the queried ranges match those IDs in the ciphertexts of multi-dimensional data, the ciphertexts can be correctly retrieved. Lu et al. [25] proposed a method to support range query over ciphertexts. Their method was constructed by using a B+tree and the encryption method in [29]. As in the high computation overhead of [29], Lu’s method [25] is not very efficient. Wu et al. [30] proposed a method to support range query and verification over the ciphertexts of the multi-dimensional data. In a recent work, Mei et al. [26] proposed a method to support range query and access control on the ciphertexts of the multi-dimensional data. As many of the existing public key-based encryption methods are based on computations over elliptic curves, these public key-based encryption methods are not very efficient.

3. Preliminaries

The EVRQ scheme is constructed by using several techniques. The 0–1 encoding enables the conversion of comparative operations between numbers into set operations. A cryptographic multiset accumulator is utilized to verify the intersection of two sets. The Bloom filter efficiently performs set operations with a high probability of accuracy. The details of these technologies are as follows.

3.1. 0–1 Encoding

The 0–1 encoding [31] converts a positive integer n to a t-length binary string, denoted by $n_t{n}_{t-1}\dots n_1$. Then, 0–1 encoding generates two sets. A set is $S_n^0=\{n_t{n}_{t-1}\dots n_{i+1}1|n_i=0,1\le i\le t\}$, and the other set is $S_n^1=\{n_t{n}_{t-1}\dots n_i|n_i=1,1\le i\le t\}$. For two positive integers n and $n^{\prime }$, 0–1 encoding can be used to determine the ordering relationship between n and $n^{\prime }$. Specifically, $S_n^1\cap S_{n^{\prime }}^0\ne \varnothing \iff n\ge n^{\prime }$ and $S_n^1\cap S_{n^{\prime }}^0=\varnothing \iff n<n^{\prime }$. For example, 3 and 6 are two positive integers. The 4-length binary strings of 3 and 6 are ${\left(0011\right)}_2$ and ${\left(0110\right)}_2$, respectively. The 0–1 encodings of 3 and 6 are $S_3^0=\{1,01\}$, $S_3^1=\{001,0011\}$, $S_6^0=\{1,0111\}$ and $S_6^1=\{01,011\}$. As $S_6^1\cap S_3^0\ne \varnothing$, $6\ge 3$. And also, as $S_3^1\cap S_6^0=\varnothing$, $3<6$.

3.2. Cryptographic Multiset Accumulator

A cryptographic multiset accumulator [32] is widely used to prove set disjointness. It contains the following four algorithms.

$KeyGen\left(1^{\lambda }\right)\to (s{k}_{ACC},p{k}_{ACC})$. It takes a security parameter $\lambda$ as input and outputs a secret key $s{k}_{ACC}$ and a public key $p{k}_{ACC}$.

$Setup(X,p{k}_{ACC},s{k}_{ACC})\to acc\left(X\right)$. It takes a multiset X, the public key $p{k}_{ACC}$, and the secret key $s{k}_{ACC}$ as inputs and outputs the accumulative value $acc\left(X\right)$.

$ProveDisjoint(X_1,X_2,p{k}_{ACC})\to \mathsf{\Pi }$. It takes two multisets $X_1$, $X_2$ ($X_1\cap X_2=\varnothing$) and the public key $p{k}_{ACC}$ as inputs. It outputs a proof $\mathsf{\Pi }$.

$VerifyDisjoint(acc\left(X_1\right),acc\left(X_2\right),\mathsf{\Pi },p{k}_{ACC})$. It takes the accumulative values $acc\left(X_1\right)$, $acc\left(X_2\right)$, a proof $\mathsf{\Pi }$, and the public key $p{k}_{ACC}$ as inputs. It outputs 1 if and only if $X_1\cap X_2=\varnothing$.

3.3. Bloom Filter

Bloom filter [33] offers a probabilistic but very efficient way to determine whether an element belongs to a set. A Bloom filter contains (1) a set $E=\{e_1,e_2,\dots ,e_n\}$ (n is a positive integer); (2) a hash function $hash$ and w different hash keys $k_1$, $k_2$, …, $k_w$ (w is a positive integer); and (3) a bit array A of t bits (each bit is initialized to 0). For each element $e_i\in E$ ($i=1,2,\dots ,n$), the Bloom filter computes hash values $hash(e_i,k_1)$, $hash(e_i,k_2)$, …, $hash(e_i,k_w)$ and then sets the values at the positions $hash(e_i,k_1)$, $hash(e_i,k_2)$, …, $hash(e_i,k_w)$ of A to 1. To test whether an element $e^{\prime }$ belongs to the set E, the Bloom filter calculates the hash values $hash(e^{\prime },k_1)$, $hash(e^{\prime },k_2)$, …, $hash(e^{\prime },k_w)$. If all the values at the positions $hash(e^{\prime },k_1)$, $hash(e^{\prime },k_2)$, …, $hash(e^{\prime },k_w)$ of A are 1, $e^{\prime }$ is considered to be a member of E. Otherwise, $e^{\prime }$ is not in E.

4. System Model

Figure 1 shows the system model of EVRQ. Firstly, the data owner (DO) generates multiple map regions (MRs) according to the locations of points of interest (POIs) in a map. Then, the DO encrypts all the information of POIs and builds a map region tree (MRT) index by using the MRs, 0–1 encoding, cryptographic multiset accumulator, and Bloom filter techniques. Next, the DO outsources the ciphertexts of POIs and the MRT index to the cloud server (CS) and distributes secret keys to the data user (DU). The DU generates a query token for their queried range and sends the query token to the CS. After receiving the query token, the CS performs range query on the MRT index. Finally, the CS returns the retrieved ciphertexts of POIs to the DU as the query results. According to the DU’s requirements, they can verify the correctness of query results and the entirety of the query process.

In EVRQ, the CS is untrusted. Precisely, the CS does not faithfully follow the DO and the DU’s designated protocols and procedures. Specifically, the CS may (1) be curious about the geographical data and the index stored within them, (2) selectively query only a portion of the geographical data to save computational resources, (3) intentionally include some geographical data that do not meet the query condition in the query results and return them to the DU, and (4) even illegally modify the geographical data and the index stored in the CS. The DO and the DU are considered trustworthy.

Definition 1.

Correctness. Suppose that $s_1$, $s_2$, …, $s_n$ represent n different POIs and $Enc\left(s_1\right)$, $Enc\left(s_2\right)$, …, $Enc\left(s_n\right)$ represent the ciphertexts of $s_1$, $s_2$, …, $s_n$ respectively, and these ciphertexts are the query results retrieved from the MRT index when querying with the range Q. The EVRQ scheme is correct if these ciphertexts of POIs $Enc\left(s_1\right)$, $Enc\left(s_2\right)$, …, $Enc\left(s_n\right)$ are stored within the MRs of the leaf nodes in the MRT index and these MRs intersect with the queried range Q.

Definition 2.

Security. Suppose $F\left(d\right)=count\left(d\right)$ is a leakage function, where d is a binary string and $count\left(d\right)$ returns a total number of 1 in d. If no adversary can access any information beyond what is revealed by F, the EVRQ scheme is considered secure.

Definition 3.

Structure Indistinguishability. For any two MRs, if and only if these two MRs contain the same number of POIs, their corresponding MR trees and MRT indexes have the same structure.

5. Construction of Our Scheme EVRQ

In this section, we first describe MR and MRT in our scheme EVRQ. Then, we introduce MR encoding. Finally, we present the construction of the EVRQ scheme in detail.

5.1. Map Region (MR) and Map Region Tree (MRT)

Suppose there are n POIs which are distributed in an MR. These POIs are denoted by $s_1$, $s_2$, …, $s_n$, respectively. The DO divides this MR into multiple MRs. Each MR is associated with a level number, and the MRs with the same level number contain the same or a similar number of POIs. The generation process of MRs is as follows.

Firstly, the DO uses the notation $M_1^1$ to denote the whole MR. $M_1^1$ is the first-level MR, which covers all the POIs in the whole MR. The superscript of $M_1^1$ represents the level of $M_1^1$ and the subscript represents the order of $M_1^1$ within its level.

Secondly, the DO divides $M_1^1$ into two parts by a vertical line. The left part is denoted by $M_{1left}^1$, and the right part is denoted by $M_{1right}^1$. If the total number of POIs in $M_1^1$ is even, then the DO sets the total number of POIs in $M_{1left}^1$ to be equal to that in $M_{1right}^1$. If the total number of POIs in $M_1^1$ is odd, then the DO sets the total number of POIs in $M_{1right}^1$ to be one more than that in $M_{1right}^1$.

Thirdly, the DO divides $M_{1left}^1$ into two parts by a horizontal line. The upper part is denoted by $M_{1left-up}^1$, and the lower part is denoted by $M_{1left-down}^1$. If the total number of POIs in $M_{1left}^1$ is even, then the DO sets the total number of POIs in $M_{1left-up}^1$ to be equal to that in $M_{1left-low}^1$. If the total number of POIs in $M_{1left}^1$ is odd, then the DO sets the total number of POIs in $M_{1left-up}^1$ to be one more than that in $M_{1left-low}^1$. The DO also divides $M_{1right}^1$ into two parts by another horizontal line. The upper part is denoted by $M_{1right-up}^1$, and the lower part is denoted by $M_{1right-low}^1$. In the same way, if the total number of POIs in $M_{1right}^1$ is even, then the DO sets the total number of POIs in $M_{1right-up}^1$ to be equal to that in $M_{1right-low}^1$. If the total number of POIs in $M_{1right}^1$ is odd, then the DO sets the total number of POIs in $M_{1right-down}^1$ to be one more than that in $M_{1right-up}^1$.

According to the method of MR division above, $M_1^1$ is divided into four MRs: $M_{1left-low}^1$, $M_{1left-up}^1$, $M_{1right-low}^1$, and $M_{1right-up}^1$, respectively. For the sake of convenience, these four MRs are denoted by $M_1^2$, $M_2^2$, $M_3^2$, and $M_4^2$, respectively. The superscript 2 represents the level of these MRs and the subscripts 1, 2, 3, and 4 represent the order of these MRs within level 2.

Finally, the DO divides $M_1^2$, $M_2^2$, $M_3^2$, and $M_4^2$ iteratively until each MR contains only a single POI.

According to the method of the MR division above, it is easy to observe two facts: (1) most MRs within the same level contain an equal (or a similar) number of POIs. Specifically, the difference in the number of POIs contained in different MRs is at most one; (2) when different MRs contain an equal (or a similar) number of POIs, an attacker cannot effectively distinguish these MRs according to the number of POIs they contain. Therefore, an attacker (including the untrusted CS) cannot infer the query privacy of the DU by observing the DU’s query process on different MRs and analyzing the density distribution of POIs in different MRs.

In the following Example 1, we demonstrate our method for MR division.

Example 1.

Figure 2 (1) shows the first-level MR, denoted by $M_1^1$, which contains 17 gas stations (17 POIs). Firstly, the DO divides $M_1^1$ into two parts, $M_{1left}^1$ and $M_{1right}^1$, by a vertical line. $M_{1left}^1$ contains 9 gas stations ($S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_8,S_{13}$), while $M_{1right}^1$ contains 8 gas stations ($S_9,S_{10},S_{11},S_{12},S_{14},S_{15},S_{16},S_{17}$). Then, the DO further divides $M_{1left}^1$ into two parts, $M_1^2$ and $M_3^2$, by a horizontal line. Similarly, the DO divides $M_{1right}^1$ into two parts, $M_2^2$ and $M_4^2$, by another horizontal line. As shown in Figure 2 (2), $M_1^2$ contains 4 gas stations ($S_1,S_2,S_4,S_5$), $M_2^2$ contains 4 gas stations ($S_9,S_{10},S_{11},S_{12}$), $M_3^2$ contains 5 gas stations ($S_3,S_6,S_7,S_8,S_{13}$), and $M_4^2$ contains 4 gas stations ($S_{14},S_{15},S_{16},S_{17}$). Then, the DO divides these second-level MRs—$M_1^2$, $M_2^2$, $M_3^2$, and $M_4^2$—iteratively. As shown in Figure 2 (3), the DO obtains the third-level MRs: $M_1^3,M_2^3,\dots ,M_{16}^3$. Each third-level MR (except for $M_{11}^3$) contains only one gas station. Thus, the DO stops further dividing these third-level MRs. As $M_{11}^3$ contains 2 gas stations ($S_7,S_8$), the DO continues to divide $M_{11}^3$. As shown in Figure 2 (4), the DO obtains the fourth-level MRs $M_1^4$ ($M_1^4$ only contains one gas station $S_7$) and $M_2^4$ ($M_2^4$ only contains one gas station). As $M_1^4$ and $M_2^4$ only contain one gas station, the DO stops dividing $M_1^4$ and $M_2^4$.

To construct an MRT, the DO firstly constructs a quadtree and processes the quadtree by using the MRs. In the quadtree, the DO associates the first-level node (i.e., the root node) with the MR $M_1^1$ that contains all the POIs. Secondly, the DO divides $M_1^1$ into four MRs ($M_1^2,M_2^2,M_3^2,M_4^2$) that contain the same (or a similar) number of POIs. The DO associates the second-level nodes (i.e., the child nodes of the root node) with the MRs $M_1^2,M_2^2,M_3^2,M_4^2$, respectively. Then, the DO continues to divide $M_1^2,M_2^2,M_3^2,M_4^2$ into sixteen MRs $M_1^3,M_2^3,\dots ,M_{16}^3$ that contain the same (or a similar) number of POIs, and then associates the third-level nodes of the quadtree with these MRs ($M_1^3,M_2^3,\dots ,M_{16}^3$). By using the same method, the DO processes the quadtree in a top–down manner. Finally, the DO associates each leaf node of the MRT with an MR that contains only one POI. After processing each node of the quadtree, the DO obtains the MRT. Note that, in our scheme, there is no intersection between the POIs contained in different MRs that are associated with the same level nodes in the MRT.

Figure 3 shows the MRT that is constructed by using the MRs in Figure 2. As shown in Figure 3, each node is associated with an MR ($M_1^1$, $M_1^2$, etc.), and each leaf node is associated with an MR that contains only one POI ($S_1$, $S_2$, etc.). By observing the MRT, it is easy to observe the following: (1) as the depth difference between leaf nodes is at most one, the MRT is a balanced tree. Therefore, the MRT supports fast traversal. (2) As the MRs of the same level contain an equal (or similar) number of POIs, the structures of the corresponding subtrees are the same (or similar). Thus, it is difficult to effectively distinguish different MRs of the same level and their corresponding subtrees. This feature ensures that the density distribution information of POIs remains protected. Therefore, an attacker (including the untrusted CS) cannot infer the DU’s query privacy by observing the DU’s query process on the MRT and analyzing the density distribution information of POIs on a map.

5.2. Map Region (MR) Encoding

As shown in Figure 4, an MR M can be represented by the minimum point $p_{min}=(x_{min},y_{min})\in M$ and the maximum point $p_{max}=(x_{max},y_{max})\in M$. Therefore, the encoding of M can be represented by the encodings of $x_{min}$, $y_{min}$, $x_{max}$, and $y_{max}$. The encoding process of $x_{min}$, $y_{min}$, $x_{max}$, and $y_{max}$ is as follows.

Firstly, the DO encodes $x_{min}$, $y_{min}$, $x_{max}$, and $y_{max}$ to t-length binary strings (t is a large-enough positive integer), denoted by $B\left(x_{min}\right)$, $B\left(y_{min}\right)$, $B\left(x_{max}\right)$, and $B\left(y_{max}\right)$, respectively.

Secondly, the DO generates random numbers $r_{x_{min}}$, $r_{y_{min}}$, $r_{x_{max}}$, and $r_{y_{max}}$ for $x_{min}$, $y_{min}$, $x_{max}$, and $y_{max}$, respectively. Finally, the DO encodes these random numbers to t-length binary strings, denoted by $B\left(r_{x_{min}}\right)$, $B\left(r_{y_{min}}\right)$, $B\left(r_{x_{max}}\right)$, and $B\left(r_{y_{max}}\right)$, respectively. These random numbers $r_{x_{min}}$, $r_{y_{min}}$, $r_{x_{max}}$, and $r_{y_{max}}$ are used to randomize the boundary information $x_{min}$, $y_{min}$, $x_{max}$, and $y_{max}$ of MR while ensuring comparability between them.

Then, the DO concatenates the above binary strings to obtain $B\left(x_{min}\right)\left|\right|B\left(r_{x_{min}}\right)$, $B\left(y_{min}\right)\Vert B\left(r_{y_{min}}\right)$, $B\left(x_{max}\right)\left|\right|B\left(r_{x_{max}}\right)$, and $B\left(y_{max}\right)\left|\right|B\left(r_{y_{max}}\right)$, where $\left|\right|$ denotes concatenation operation. Note that the above processes for binary strings still preserve the ordering relationship between the data. For example, as $x_{max}>x_{min}$ and $y_{max}>y_{min}$, there are $B\left(x_{max}\right)\left|\right|B\left(r_{x_{max}}\right)>B\left(x_{min}\right)\left|\right|B\left(r_{x_{min}}\right)$ and $B\left(y_{max}\right)\left|\right|B\left(r_{y_{max}}\right)>B\left(y_{min}\right)\left|\right|B\left(r_{y_{min}}\right)$.

Finally, the DO calculates the 0-encodings of $B\left(x_{min}\right)\left|\right|B\left(r_{x_{min}}\right)$ and $B\left(y_{min}\right)\left|\right|B\left(r_{y_{min}}\right)$, denoted by $S_{x_{min}}^0$ and $S_{y_{min}}^0$, respectively. The DO calculates the 1-encodings of $B\left(x_{max}\right)\left|\right|B\left(r_{x_{max}}\right)$ and $B\left(y_{max}\right)\left|\right|B\left(r_{y_{max}}\right)$, denoted by $S_{x_{max}}^1$ and $S_{y_{max}}^1$, respectively. The DO uses $S_{x_{min}}^0$, $S_{y_{min}}^0$, $S_{x_{max}}^1$, and $S_{y_{max}}^1$ as the MR encoding of M in Figure 4.

5.3. Efficient and Verifiable Range Query Scheme (EVRQ)

5.3.1. System Setup

Firstly, the DO randomly chooses a number as the key k. Then, the DO sets a security parameter $\lambda$ and executes the algorithm $KeyGen\left(1^{\lambda }\right)$ in [32], which outputs a secret key $s{k}_{ACC}$ and a public key $p{k}_{ACC}$. Next, the DO sets four tagging parameters $ta{g}_0$, $ta{g}_1$, $ta{g}_2$, and $ta{g}_3$ and selects w hash keys $k_1,k_2,\dots ,k_w$ used for the hash function in a Bloom filter. Finally, the DO keeps $s{k}_{ACC}$ secretly; the DO also sends the tagging parameters $ta{g}_0$, $ta{g}_1$, $ta{g}_2$, and $ta{g}_3$; hash keys $k_1,k_2,\dots ,k_w$; and the key k to the DU, and publishes $p{k}_{ACC}$.

5.3.2. Map Region Tree (MRT) Index Construction

Firstly, we represent the method for processing a node in MRT. Then, we introduce the method for constructing an MRT index.

1. Node Processing in MRT. To facilitate explanation, we assume that N is a node in MRT, and N is associated with an MR M, which is represented by $S_{x_{min}}^0$, $S_{y_{min}}^0$, $S_{x_{max}}^1$, and $S_{y_{max}}^1$ (see Section 5.2).

The DO converts $S_{x_{min}}^0$ to ${\overline{S}}_{x_{min}}^0=\left\{hash(a,k)\right||ta{g}_0\}$ by using the key k and a secure hash function (such as SHA families), where $a\in S_{x_{min}}^0$ and $\left|\right|$ represent the concatenation operation. Similarly, the DO converts $S_{y_{min}}^0$, $S_{x_{max}}^1$, and $S_{y_{max}}^1$ to ${\overline{S}}_{y_{min}}^0=\left\{hash(a,k)\right||ta{g}_1\}$ (where $a\in S_{y_{min}}^0$), ${\overline{S}}_{x_{max}}^1=\left\{hash(a,k)\right||ta{g}_2\}$ (where $a\in S_{x_{max}}^1$), and ${\overline{S}}_{y_{max}}^1=\left\{hash(a,k)\right||ta{g}_3\}$ (where $a\in S_{y_{max}}^1$), respectively. During the conversion process, tagging parameters $ta{g}_0$, $ta{g}_1$, $ta{g}_2$, and $ta{g}_3$ are padded after each element in ${\overline{S}}_{x_{min}}^0$, ${\overline{S}}_{y_{min}}^0$, ${\overline{S}}_{x_{max}}^1$, and ${\overline{S}}_{y_{max}}^1$, respectively. This ensures that ${\overline{S}}_{x_{min}}^0$, ${\overline{S}}_{y_{min}}^0$, ${\overline{S}}_{x_{max}}^1$, and ${\overline{S}}_{y_{max}}^1$ are disjoint with each other.

The DO computes the union set $S_M={\overline{S}}_{x_{min}}^0\cup {\overline{S}}_{y_{min}}^0\cup {\overline{S}}_{x_{max}}^1\cup {\overline{S}}_{y_{max}}^1$ and executes the algorithm $Setup(S_M,p{k}_{ACC},s{k}_{ACC})$ in [32]. This algorithm outputs the accumulated value of all elements in $S_M$, denoted by $acc\left(S_M\right)$.

The DO selects an l-length binary string, denoted by $BF$ (each bit of $BF$ is initialized to 0). For each element $a\in S_M$, the DO calculates hash values $has{h}_{BF}(a,k_1)$, $has{h}_{BF}(a,k_2)$, …, $has{h}_{BF}(a,k_w)$ and sets the corresponding positions in $BF$ to 1.

2. MRT index Construction. As the CS is considered to be untrusted in our scheme EVRQ, the CS may selectively query only a portion of the data to save computational resources, and even illegally modify the data and the index stored in the CS. To prevent such malicious operations, the DO needs to generate hash values for each node in an MRT index. By using the hash values of the MRT index, the DU can verify that the CS has traversed the entire MRT index and has not made any illegal modifications to the geographical data and the MRT index stored in the CS. The generation of hash values in the MRT index is as follows.

Suppose that N is a leaf node in the MRT, N is associated with an MR M which contains only one POI, denoted by s. Firstly, the DO uses a secure encryption method, such as AES [34], to encrypt s and securely distributes the decryption key to the DU. The ciphertext of s is denoted by $Enc\left(s\right)$. Secondly, the DO calculates $S_M$, $acc\left(S_M\right)$, and $B{F}_M$ (see Section 5.3.2). Then, the DO computes the hash value of N, which is $h_N=has{h}_{node}(Enc\left(s\right)\oplus S_M\oplus acc\left(S_M\right)\oplus B{F}_M)$ (⊕ represents the XOR operation). Finally, the DO stores $Enc\left(s\right)$, $S_M$, $acc\left(S_M\right)$, $B{F}_M$, and $h_N$ in the leaf node N.

Suppose that N is an internal node in the MRT, and N is associated with an MR M. There are four child nodes $N_1$, $N_2$, $N_3$, and $N_4$ of N. The hash values of $N_1$, $N_2$, $N_3$, and $N_4$ are $h_{N_1}$, $h_{N_2}$, $h_{N_3}$, and $h_{N_4}$, respectively. Firstly, the DO calculates $S_M$, $acc\left(S_M\right)$, and $B{F}_M$ (see Section 5.3.2). Then, the DO computes $h_{N_{child}}=h_{N_1}\oplus h_{N_2}\oplus h_{N_3}\oplus h_{N_4}$ and computes $h_N=has{h}_{node}(h_{N_{child}}\oplus S_M\oplus acc\left(S_M\right)\oplus B{F}_M)$. Finally, the DO stores $h_{N_{child}}$, $acc\left(S_M\right)$, $B{F}_M$, and $h_N$ in the internal node N.

Note that some internal nodes may not have four child nodes. In such cases, the DO only needs to use the hash values of all the child nodes of the internal node to compute the hash value of the internal node. For example, as shown in Figure 3, the internal node $N_A$ has only two child nodes (leaf nodes) $N_B$ and $N_C$. $N_A$ is associated with MR $M_{11}^3$. In this case, the DO computes the hash values $h_{{N_A}_{child}}=h_{N_B}\oplus h_{N_C}$ and $h_{N_A}=has{h}_{node}(h_{{N_A}_{child}}\oplus S_{M_{11}^3}\oplus acc\left(S_{M_{11}^3}\right)\oplus B{F}_{M_{11}^3})$. Then, the DO stores $h_{{N_A}_{child}}$, $S_{M_{11}^3}$, $acc\left(S_{M_{11}^3}\right)$, $B{F}_{M_{11}^3}$, and $h_{N_A}$ in the internal node $N_A$.

After the DO adds the aforementioned information to each MRT node, the MRT index is constructed.

5.3.3. Query Token Generation

Firstly, for a queried range Q, the DU represents Q by using the minimum point $q_{min}=(u_{min},v_{min})\in Q$ and the maximum point $q_{max}=(u_{max},v_{max})\in Q$. The DU converts $u_{min}$, $v_{min}$, $u_{max}$, and $v_{max}$ to t-length binary strings, denoted by $B\left(u_{min}\right)$, $B\left(v_{min}\right)$, $B\left(u_{max}\right)$, and $B\left(v_{max}\right)$, respectively. Secondly, the DU randomly chooses numbers $r_{u_{min}}$, $r_{v_{min}}$, $r_{u_{max}}$, and $r_{v_{max}}$ for $u_{min}$, $v_{min}$, $u_{max}$, and $v_{max}$, respectively, and also converts these random numbers to t-length binary strings, denoted by $B\left(r_{u_{min}}\right)$, $B\left(r_{v_{min}}\right)$, $B\left(r_{u_{max}}\right)$, and $B\left(r_{v_{max}}\right)$, respectively. Then, the DU calculates 0-encodings for $B\left(u_{min}\right)\left|\right|B\left(r_{u_{min}}\right)$ and $B\left(v_{min}\right)\left|\right|B\left(r_{v_{min}}\right)$, denoted by $S_{u_{min}}^0$ and $S_{v_{min}}^0$, respectively. The DU calculates 1-encodings for $B\left(u_{max}\right)\left|\right|B\left(r_{u_{max}}\right)$ and $B\left(v_{max}\right)\left|\right|B\left(r_{v_{max}}\right)$, denoted by $S_{u_{max}}^1$ and $S_{v_{max}}^1$, respectively. Thus, the encoding of Q is represented by $S_{u_{min}}^0$, $S_{v_{min}}^0$, $S_{u_{max}}^1$, and $S_{v_{max}}^1$.

Secondly, to determine whether the queried range Q intersects with an MR M, the CS should determine whether ${\overline{S}}_{u_{min}}^0$ intersects with ${\overline{S}}_{x_{max}}^1$, ${\overline{S}}_{v_{min}}^0$ intersects with ${\overline{S}}_{y_{max}}^1$, ${\overline{S}}_{u_{max}}^1$ intersects with ${\overline{S}}_{x_{min}}^0$, and ${\overline{S}}_{v_{max}}^1$ intersects with ${\overline{S}}_{y_{min}}^0$ (see Section 5.3.4). Thus, the DO calculates ${\overline{S}}_{u_{min}}^0=\left\{hash(a,k)\right||ta{g}_2\}$ (where $a\in S_{u_{min}}^0$), ${\overline{S}}_{v_{min}}^0=\left\{hash(a,k)\right||ta{g}_3\}$ (where $a\in S_{v_{min}}^0$), ${\overline{S}}_{u_{max}}^1=\left\{hash(a,k)\right||ta{g}_0\}$ (where $a\in S_{u_{max}}^1$), and ${\overline{S}}_{v_{max}}^1=\left\{hash(a,k)\right||ta{g}_1\}$ (where $a\in S_{v_{max}}^1$).

Finally, the DU executes the algorithm $Setup({\overline{S}}_{u_{min}}^0,p{k}_{ACC},s{k}_{ACC})$ in [32], which outputs the accumulated value of all elements in ${\overline{S}}_{u_{min}}^0$, denoted by $acc\left({\overline{S}}_{u_{min}}^0\right)$. Using the same method, the DU can obtain the accumulated value of all elements in ${\overline{S}}_{v_{min}}^0$, ${\overline{S}}_{u_{max}}^1$, and ${\overline{S}}_{v_{max}}^1$, denoted by $acc\left({\overline{S}}_{v_{min}}^0\right)$, $acc\left({\overline{S}}_{u_{max}}^1\right)$ and $acc\left({\overline{S}}_{v_{max}}^1\right)$, respectively. The DU sends ${\overline{S}}_{u_{min}}^0$, ${\overline{S}}_{v_{min}}^0$, ${\overline{S}}_{u_{max}}^1$, ${\overline{S}}_{v_{max}}^1$, and their corresponding accumulated values $acc\left({\overline{S}}_{u_{min}}^0\right)$, $acc\left({\overline{S}}_{v_{min}}^0\right)$, $acc\left({\overline{S}}_{u_{max}}^1\right)$, and $acc\left({\overline{S}}_{v_{max}}^1\right)$ as the query token to the CS.

5.3.4. Range Query

In this section, we first transform the operation of determining the positional relationship between Q and M into the operation of comparing two values in Q and M. Then, we utilize the 0–1 encoding technique to convert the operation of comparing the values into the operation of determining whether two different sets intersect. We add the tags $ta{g}_1$, $ta{g}_2$, $ta{g}_3$, and $ta{g}_4$ to the elements in these sets. This allows for the CS to find the sets and then correctly perform the set intersection operations.

As shown in Figure 4, the MR M of a node N can be represented by the minimum point $p_{min}=(x_{min},y_{min})$ and the maximum point $p_{max}=(x_{max},y_{max})$. Similarly, the queried range Q can be represented by the minimum point $q_{min}=(u_{min},v_{min})$ and the maximum point $q_{max}=(u_{max},v_{max})$. As shown in Figure 5 (1)–(4), if $Q\cap M=\varnothing$, there are four possible positional relationships between Q and M: Figure 5 (1) shows that Q is positioned to the right of M, which indicates $x_{max}<u_{min}$; Figure 5 (2) shows that Q is positioned to the left of M, which indicates $u_{max}<x_{min}$; Figure 5 (3) shows that Q is positioned above M, which indicates $v_{max}<y_{min}$; Figure 5 (4) shows that Q is positioned below M, which indicates $y_{max}<v_{min}$.

According to 0–1 encoding, if $x_{max}<u_{min}$, there is $S_{x_{max}}^1\cap S_{u_{min}}^0=\varnothing$. Note that ${\overline{S}}_{x_{max}}^1=\left\{hash(a,k)\right||ta{g}_2\}$ (where $a\in S_{x_{max}}^1$) and ${\overline{S}}_{u_{min}}^0=\left\{hash(a,k)\right||ta{g}_2\}$ (where $a\in S_{u_{min}}^0$). Thus, if $x_{max}<u_{min}$, there is ${\overline{S}}_{x_{max}}^1\cap {\overline{S}}_{u_{min}}^0=\varnothing$. Note that ${\overline{S}}_{x_{min}}^0=\left\{hash(a,k)\right||ta{g}_0\}$ (where $a\in S_{x_{min}}^0$), ${\overline{S}}_{y_{min}}^0=\left\{hash(a,k)\right||ta{g}_1\}$ (where $a\in S_{y_{min}}^0$), and ${\overline{S}}_{y_{max}}^1=\left\{hash(a,k)\right||ta{g}_3\}$ (where $a\in S_{y_{max}}^1$). As the tagging parameters are different, there is no element in ${\overline{S}}_{x_{min}}^0$, ${\overline{S}}_{y_{min}}^0$ and ${\overline{S}}_{y_{max}}^1$ that is the same as any element in ${\overline{S}}_{u_{min}}^0$. It is easy to know that ${\overline{S}}_{x_{min}}^0\cap {\overline{S}}_{u_{min}}^0=\varnothing$, ${\overline{S}}_{y_{min}}^0\cap {\overline{S}}_{u_{min}}^0=\varnothing$ and ${\overline{S}}_{y_{max}}^1\cap {\overline{S}}_{u_{min}}^0=\varnothing$. Thus, we have the conclusion that if $x_{max}<u_{min}$, there is ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$, where $S_M={\overline{S}}_{x_{min}}^0\cup {\overline{S}}_{y_{min}}^0\cup {\overline{S}}_{x_{max}}^1\cup {\overline{S}}_{y_{max}}^1$. According to the above analysis, we have the following conclusions.

• $x_{max}<u_{min}\iff S_{u_{min}}^0\cap S_{x_{max}}^1=\varnothing \iff {\overline{S}}_{u_{min}}^0\cap {\overline{S}}_{x_{max}}^1=\varnothing \iff {\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$ (corresponds to a positional relationship in Figure 5 (1));
• $u_{max}<x_{min}\iff S_{u_{max}}^1\cap S_{x_{min}}^0=\varnothing \iff {\overline{S}}_{u_{max}}^1\cap {\overline{S}}_{x_{min}}^0=\varnothing \iff {\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$ (corresponds to a positional relationship in Figure 5 (2));
• $v_{max}<y_{min}\iff S_{v_{max}}^1\cap S_{y_{min}}^0=\varnothing \iff {\overline{S}}_{v_{max}}^1\cap {\overline{S}}_{y_{min}}^0=\varnothing \iff {\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$ (corresponds to a positional relationship in Figure 5 (3));
• $y_{max}<v_{min}\iff S_{v_{min}}^0\cap S_{y_{max}}^1=\varnothing \iff {\overline{S}}_{v_{min}}^0\cap {\overline{S}}_{y_{max}}^1=\varnothing \iff {\overline{S}}_{v_{min}}^0\cap S_M=\varnothing$ (corresponds to a positional relationship in Figure 5 (4)), where $S_M={\overline{S}}_{x_{min}}^0\cup {\overline{S}}_{y_{min}}^0\cup {\overline{S}}_{x_{max}}^1\cup {\overline{S}}_{y_{max}}^1$.

Therefore, if the CS determines that ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$, ${\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, ${\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$, or ${\overline{S}}_{v_{min}}^0\cap S_M$, then there is $Q\cap M=\varnothing$.

The CS extracts ${\overline{S}}_{u_{min}}^0$, ${\overline{S}}_{v_{min}}^0$, ${\overline{S}}_{u_{max}}^1$, and ${\overline{S}}_{v_{max}}^1$ from the query token of Q and extracts $S_M$ from the node N in the MRT index. If ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$, ${\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, ${\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$, or ${\overline{S}}_{v_{min}}^0\cap S_M$, then the CS determines $Q\cap M=\varnothing$ and stops querying the descendant nodes of N in the MRT index. Otherwise, the CS continues querying the descendant nodes of N in the MRT index. The CS begins determining from the root node to the leaf nodes in the MRT index. Finally, it retrieves the encrypted POIs in the leaf nodes, which meet the query request of the DU. These retrieved ciphertexts of POIs are then returned to the DU as the query results.

5.3.5. Verification of Correctness and Entirety in the Query Process

To verify the correctness and entirety in the query process, the DU can request relevant information from the CS.

Suppose N is a node in the MRT index, which is associated with an MR M. In the query process, if the CS determines $Q\cap M=\varnothing$, the DU can request the CS to provide a proof as follows.

The CS extracts the binary string $B{F}_M$ from the node N and sends it to the DU. Upon receiving $B{F}_M$, the DU extracts each element a from ${\overline{S}}_{u_{min}}^0$ in the query token and calculates hash values $has{h}_{BF}(a,k_1)$, $has{h}_{BF}(a,k_2)$, …, $has{h}_{BF}(a,k_w)$. Then, the DU checks if the values at the positions of all hash values in $B{F}_M$ are 1. If there is no such element a, it means that ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$. Then, the DU can verify $Q\cap M=\varnothing$. Similarly, the DU can also determine whether ${\overline{S}}_{v_{min}}^0\cap S_M=\varnothing$, or ${\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, or ${\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$ by using $B{F}_M$, and then verify $Q\cap M=\varnothing$. Otherwise, $B{F}_M$ fails to verify $Q\cap M=\varnothing$. This could be due to false positive errors in the Bloom filter, and the probability of such false positives occurring is very low [33]. Thus, the DU requests other information from the CS to verify $Q\cap M=\varnothing$. The CS extracts ${\overline{S}}_{u_{min}}^0$ in the query token and $S_M$ in the node N. Then, the CS executes the algorithm $ProveDisjoint({\overline{S}}_{u_{min}}^0,S_M,pk)$ in [32], and then obtains the proof ${\prod }_{u_{min}}$ that represents the relationship between ${\overline{S}}_{u_{min}}^0$ and $S_M$. Similarly, the CS can obtain the proof ${\prod }_{v_{min}}$ that represents the relationship between ${\overline{S}}_{v_{min}}^0$ and $S_M$, the proof ${\prod }_{u_{max}}$ that represents the relationship between ${\overline{S}}_{u_{max}}^1$ and $S_M$, and the proof ${\prod }_{v_{max}}$ that represents the relationship between ${\overline{S}}_{v_{max}}^1$ and $S_M$. The DO sends ${\prod }_{u_{min}}$, ${\prod }_{v_{min}}$, ${\prod }_{u_{max}}$, ${\prod }_{v_{max}}$, and $acc\left(S_M\right)$ to the DU. The DU executes the algorithm $VerifyDisjoint(acc\left({\overline{S}}_{u_{min}}^0\right),acc\left(S_M\right),{\prod }_{u_{min}},pk)$ in [32] to verify ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$. Similarly, the DU executes the algorithm $VerifyDisjoint$ to verify ${\overline{S}}_{v_{min}}^0\cap S_M=\varnothing$, ${\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, and ${\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$. If any equation ${\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$, ${\overline{S}}_{v_{min}}^0\cap S_M=\varnothing$, or ${\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, or ${\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$ is satisfied, it means that $Q\cap M=\varnothing$. Finally, the DU can determine whether the CS has correctly executed the query process.

Note that a Bloom filter is adopted in the above verification process. The Bloom filter can provide fast verification and relatively high accuracy to prove that $Q\cap M=\varnothing$. However, considering that the Bloom filter may have a very low probability of false positive errors occurring, a cryptographic multiset accumulator is adopted in our scheme EVRQ. By combining the Bloom filter and cryptographic multiset accumulator, EVRQ ensures the efficiency of the verification and the correctness of the query process.

Suppose (1) $Enc\left(s_1\right)$ is the ciphertext of the POI $s_1$ queried by the DU; (2) $s_1$ is located in the MR $M_1$ that is associated with the leaf node $N_1$; (3) $N_1$, $N_2$, $N_3$, and $N_4$ are sibling nodes; (4) N is the parent node of $N_1$, $N_2$, $N_3$, and $N_4$; (5) the POIs of $N_2$, $N_3$, and $N_4$ are not covered by the queried range Q. The DU requests $Enc\left(s_1\right)$, $S_{M_1}$, $acc\left(S_{M_1}\right)$, $B{F}_{M_1}$, and $h_{N_1}$ of the node $N_1$ from the CS. By verifying whether $h_{N_1}$ is equal to $has{h}_{node}(Enc\left(s_1\right)\oplus S_{M_1}\oplus acc\left(S_{M_1}\right)\oplus B{F}_{M_1})$, the DU can determine whether the CS has illegally modified the information of $N_1$ or provided incorrect information to the DU. Then, the DU requests the hash values $h_{N_2}$, $h_{N_3}$, and $h_{N_4}$ stored in $N_2$, $N_3$, and $N_4$, respectively, and $S_M$, $acc\left(S_M\right)$, and $B{F}_M$ stored in N. Next, the DU calculates the hash value $h_N=has{h}_{node}(h_{N_1}\oplus h_{N_2}\oplus h_{N_3}\oplus h_{N_4}\oplus S_M\oplus acc\left(S_M\right)\oplus B{F}_M)$. Using this method in a bottom–up manner iteratively, the DU calculates the hash values of the ancestor nodes of $N_1$. Finally, the DU tests whether the computed hash value of the root node is equal to the hash value stored in the root node of the MRT index. If they are equal, it indicates that the CS has honestly provided all the information and executed the range query’s entirety.

6. Experiments

In our experiments, we compared our scheme EVRQ with the MDOPE scheme [27]. Our scheme EVRQ is constructed based on a map region tree, 0–1 encoding, hash function, Bloom filter, and cryptographic multiset accumulator. The computations involving bilinear groups in a cryptographic multiset accumulator [32] were implemented using the Java Pairing Based Cryptography Library 2.0.0 [35]. The MDOPE scheme is constructed based on the network data structure, prefix encoding, and Bloom filter. Our experiments were conducted on a Win10 computer equipped with an AMD Ryzen 5 2500U CPU and 8 GB of Random Access Memory (RAM). We used the control variables method to test the efficiency of EVRQ and MDOPE on two properties: the volume of the experimental data and the scale of the queried range. As the EVRQ scheme is not affected by the distribution density of geographical data, to ensure a fair and comprehensive comparison between the EVRQ scheme and the MDOPE scheme, we generated data sets of different sizes in which geographical data are randomly and evenly distributed. These data sets consisted of $2^6$, $2^8$, $2^{10}$, $2^{12}$, and $2^{14}$ distinct geographical data, respectively. The geographical data in these data sets were evenly distributed within the map regions $[1,2^3]\times [1,2^3]$, $[1,2^4]\times [1,2^4]$, $[1,2^5]\times [1,2^5]$, $[1,2^6]\times [1,2^6]$, and $[1,2^7]\times [1,2^7]$, respectively. In the subsequent experiments, we executed each algorithm hundreds of times and calculated the average runtime.

6.1. Index Construction

As shown in Figure 6, as the number of geographical data increases from $2^6$ to $2^{14}$ exponentially, both the EVRQ scheme and the MDOPE scheme require larger indexes to accommodate these geographical data, leading to an exponential increase in the number of index nodes. Consequently, the time of index generation in both the EVRQ scheme and the MDOPE scheme also increases exponentially. In the EVRQ scheme, it is necessary to generate additional information for each index node to verify the correctness and integrity of the query process. The additional information includes the hash value for each index node and the cryptographic accumulator value of the map region for each index node. The hash values for each index node must be generated from the leaf nodes to the root node in a bottom–up manner. The cryptographic accumulator value involves complex elliptic curve operations. Consequently, the index generation in the EVRQ scheme is slow. Compared to the EVRQ scheme, the MDOPE scheme does not support the verification of query process correctness and integrity. Therefore, the MDOPE scheme only needs to compute and store binary strings generated by a Bloom filter that supports ciphertext comparison operations. As a result, the MDOPE scheme is faster in terms of index generation compared to the EVRQ scheme.

Note that in cloud-based LBS applications, the index generation process is completed prior to serving the data user and only needs to be generated once for permanent usage. Therefore, the index generation process does not have any negative impact on the data user’s experience.

6.2. Token Generation

In our experiments, the queried ranges were randomly generated in the ranges of $[1,2^3]\times [1,2^3]$, $[1,2^4]\times [1,2^4]$, $[1,2^5]\times [1,2^5]$, $[1,2^6]\times [1,2^6]$, and $[1,2^7]\times [1,2^7]$, respectively. Thus, the average length of encodings that represent these queried ranges increases from 3 bits to 7 bits. As shown in Figure 7, as the average length of encodings increases in the EVRQ scheme, the generation of query token is very efficient. However, in the MDOPE scheme, the generation of query token is very slow, and its time increases exponentially. In the EVRQ scheme, the generation of query token requires binary strings and hash values of two points of the queried range, making it very efficient. In contrast, in the MDOPE scheme, a queried range is represented by a large number of binary strings, and then these binary strings need to be merged pairwise, resulting in a small number of combined binary strings. Due to the enormous number of binary strings that need to be merged, the generation of query tokens becomes highly inefficient. Additionally, as the query range expands in size, the number of binary strings to be merged grows exponentially, leading to an exponential increase in the time of query token generation in the MDOPE scheme.

6.3. Range Query

As shown in Figure 8, the time for range query increases with the height of the index. This is because as the height of the index increases, the number of index nodes that need to be compared by the query tokens also grows. In the EVRQ scheme, range query is implemented by determine whether there exists the intersection between several sets of hash values. In the MDOPE scheme, range query is implemented by checking if several sets of hash values match a binary string generated by a Bloom filter. Both of these operations, used to determine whether a queried range matches an index node, are highly efficient. As a result, both the EVRQ and MDOPE schemes exhibit highly efficient query performance.

6.4. Verification

As the MDOPE scheme does not support verifying the correctness and integrity of the query process, we only conducted tests on the EVRQ scheme. Figure 9 demonstrates the efficiency of the correctness verification for the query process. As the index height increases, the size of the index also correspondingly increases. However, since the average size of the randomly generated query ranges also increases, the number of index nodes that need to be verified does not change significantly. This results in the consistent efficiency of the correctness verification for the query process. In the correctness verification of the query process, the Bloom filter is very efficient and exhibits a high accuracy rate. It efficiently verifies the majority of MRT index nodes that do not intersect with the queried range. In rare cases where the Bloom filter experiences false positive errors, a cryptographic accumulator is used to verify a small number of MRT index nodes that do not intersect with the queried range. Therefore, the EVRQ scheme ensures both the efficiency and accuracy of the correctness verification for the query process.

As shown in Figure 10, the efficiency of the integrity verification for the query process is demonstrated. In order to verify the integrity of the query process, a data user needs to calculate the hash value for the retrieved query results from leaf nodes. Then, in a bottom–up manner, the data user calculates the hash values for the ancestor nodes, finally computing the hash value of the root node and comparing it with the hash value stored in the root node. When the index height increases, the data user needs to calculate the hash values of more nodes. Consequently, the time required for verifying the integrity of the query process also increases. However, due to the high efficiency of hash calculations, the process of verifying the integrity of the query process remains highly efficient.

7. Correctness and Security Analysis of EVRQ

In this section, we first analyze the correctness of the EVRQ scheme. Then, we demonstrate the information of the EVRQ scheme. Finally, we analyze the indistinguishability of the MRT index.

Theorem 1.

Our method EVRQ complies with the correctness of Definition 1.

Proof. 

Suppose that an MR M is represented by the minimum point $p_{min}=(x_{min},y_{min})\in M$ and the maximum point $p_{max}=(x_{max},y_{max})\in M$, and a queried range Q is represented by the minimum point $q_{min}=(u_{min},v_{min})\in Q$ and the maximum point $q_{max}=(u_{max},v_{max})\in Q$. According to the 0–1 encoding technique, $(x_{max}<u_{min})\vee (u_{max}<x_{min})\vee (v_{max}<y_{min})\vee (y_{max}<v_{min})=true$ means $(S_{u_{min}}^0\cap S_{x_{max}}^1=\varnothing )\vee (S_{u_{max}}^1\cap S_{x_{min}}^0=\varnothing )\vee (S_{v_{max}}^1\cap S_{y_{min}}^0=\varnothing )\vee (S_{v_{min}}^0\cap S_{y_{max}}^1=\varnothing )=true$. As $(x_{max}<u_{min})\vee (u_{max}<x_{min})\vee (v_{max}<y_{min})\vee (y_{max}<v_{min})=true$ means $Q\cap M=\varnothing$ (see Section 5.3.4), $(S_{u_{min}}^0\cap S_{x_{max}}^1=\varnothing )\vee (S_{u_{max}}^1\cap S_{x_{min}}^0=\varnothing )\vee (S_{v_{max}}^1\cap S_{y_{min}}^0=\varnothing )\vee (S_{v_{min}}^0\cap S_{y_{max}}^1=\varnothing )=true$ means $Q\cap M=\varnothing$. Section 5.3.4 also gives four formulas: $S_{u_{min}}^0\cap S_{x_{max}}^1=\varnothing \iff {\overline{S}}_{u_{min}}^0\cap {\overline{S}}_{x_{max}}^1=\varnothing \iff {\overline{S}}_{u_{min}}^0\cap S_M=\varnothing$, $S_{u_{max}}^1\cap S_{x_{min}}^0=\varnothing \iff {\overline{S}}_{u_{max}}^1\cap {\overline{S}}_{x_{min}}^0=\varnothing \iff {\overline{S}}_{u_{max}}^1\cap S_M=\varnothing$, $S_{v_{max}}^1\cap S_{y_{min}}^0=\varnothing \iff {\overline{S}}_{v_{max}}^1\cap {\overline{S}}_{y_{min}}^0=\varnothing \iff {\overline{S}}_{v_{max}}^1\cap S_M=\varnothing$, and $S_{v_{min}}^0\cap S_{y_{max}}^1=\varnothing \iff {\overline{S}}_{v_{min}}^0\cap {\overline{S}}_{y_{max}}^1=\varnothing \iff {\overline{S}}_{v_{min}}^0\cap S_M=\varnothing$. Thus, it is easy to know if $({\overline{S}}_{u_{min}}^0\cap S_M=\varnothing )\vee ({\overline{S}}_{u_{max}}^1\cap S_M=\varnothing )\vee ({\overline{S}}_{v_{max}}^1\cap S_M=\varnothing )\vee ({\overline{S}}_{v_{min}}^0\cap S_M)=\varnothing$, there is $Q\cap M=\varnothing$. Otherwise, $Q\cap M\ne \varnothing$. □

Therefore, by utilizing the query token of Q to exclude all MRs that do not intersect with Q, the CS can determine the rest MRs that intersect with Q. In a top–down manner, the CS eventually finds the leaf nodes of the MRT index whose MRs intersect with Q. The CS returns the ciphertexts of POIs in these leaf nodes to the DU as query results. Thus, our scheme EVRQ complies with the correctness defined in Definition 1.

Theorem 2.

Our scheme EVRQ adheres to the security in Definition 2.

Proof. 

The POIs are encrypted using a secure encryption scheme, and the security of the geographical data can be guaranteed by the encryption scheme. Suppose that d represents the information of an MR M or a queried range Q. Then, d is a value in the set $\{x_{min},y_{min},x_{max},y_{max},u_{min},v_{min},u_{max},v_{max}\}$. In our scheme EVRQ, firstly, d is converted to a binary string $B\left(d\right)$. Then, a random number $r_d$ is chosen and converted to a binary string $B\left(r_d\right)$. Next, the 0–1 encoding of $B\left(d\right)\left|\right|B\left(r_d\right)$ is computed, which is denoted by $S_{B\left(d\right)\left|\right|B\left(r_d\right)}^0$ (or $S_{B\left(d\right)\left|\right|B\left(r_d\right)}^1$). Finally, each element of $S_{B\left(d\right)\left|\right|B\left(r_d\right)}^0$ (or $S_{B\left(d\right)\left|\right|B\left(r_d\right)}^1$) is processed by a hash function, and then padded with a $tag$, which is denoted by $\left\{hash\right(a,k\left)\right|\left|tag\right\}$, where $a\in S_{B\left(d\right)\left|\right|B\left(r_d\right)}^0$ (or $\left\{hash\right(a,k\left)\right|\left|tag\right\}$, where $a\in S_{B\left(d\right)\left|\right|B\left(r_d\right)}^1$). According to the 0–1 encoding technique, the total number of elements in $\left\{hash\right(a,k\left)\right|\left|tag\right\}$, where $a\in S_{B\left(d\right)\left|\right|B\left(r_d\right)}^0$ (or $\left\{hash\right(a,k\left)\right|\left|tag\right\}$, where $a\in S_{B\left(d\right)\left|\right|B\left(r_d\right)}^1$), is equal to the total number of 0 (or 1) in $B\left(d\right)\left|\right|B\left(r_d\right)\left|\right|tag$. Consequently, adversaries possess knowledge solely of the leakage function $F\left(d\right)=cound\left(d\right)$. Hence, the EVRQ scheme adheres to the security in Definition 2. □

Note that, there are several ways to mitigate such information leakage. For example, the DO can increase the length of $B\left(r_d\right)$ or adjust the total number of 0 (or 1) in $B\left(r_d\right)$ to control the total number of 0 (or 1) in $B\left(d\right)\left|\right|B\left(r_d\right)$. The DO can also add some artificial pseudo-hash values to reduce the risk of such information leakage.

Theorem 3.

Our scheme EVRQ adheres to the security in Definition 3.

Proof. 

In the MRT index, each node is associated with an MR. As the MRs of the same-level nodes contain an equal (or similar) number of POIs, the structures of the corresponding subtrees are the same (or similar). Thus, it is difficult to effectively distinguish different MRs of the same-level nodes and the corresponding subtrees. This feature ensures the security of the density distribution of POIs. Therefore, an attacker (including the untrusted CS) cannot infer the DU’s query privacy by observing the DU’s query process on the MRT index and analyzing the density distribution information of POIs on a map. □

If two different MPs contain a similar number of POIs (i.e., one MP contains one more POI than the other MP), due to the secure processing of the MP index, attackers can only distinguish between these two MPs based on the number of POIs they contain; attackers cannot obtain any other useful information. Additionally, the DO can make these two MP indistinguishable by adding a fake POI to the MP with fewer POIs. As a result, attackers are unable to differentiate between these two different MPs.

8. Discussion

In this paper, we propose the EVRQ scheme. Compared to order-preserving encryption methods, EVRQ protects the order information between ciphertexts by transforming the comparison of ciphertexts into set intersection operations. In contrast to bucketization methods, EVRQ supports accurate geographic information queries. The accuracy of query results is crucial in LBS applications, and EVRQ enables the data user to accurately locate the desired POIs. Compared to public key-based methods, EVRQ avoids computationally expensive calculations on bilinear groups during the query process, resulting in a higher efficiency and timely delivery of query results to the data user, thereby providing a better user experience. Additionally, EVRQ partitions the map in a reasonable manner, preventing attackers from analyzing the query privacy of the data user based on the density distribution of POIs and analyzing map information using the index structure. EVRQ also combines the Bloom filter and cryptographic multiset accumulator, making the verification process more efficient.

9. Conclusions

In this paper, we mainly consider several types of malicious behaviors of the untrusted cloud server and propose a range query scheme EVRQ. In EVRQ, the data owner builds an MRT index. In the MRT index, as the MRs of the same level contain an equal (or similar) number of POIs, the corresponding subtrees in MRT are the same (or similar), which can effectively ensure the security of the density distribution of POIs. Therefore, attackers (including the untrusted cloud server) cannot infer the data user’s query privacy by observing the data user’s query process on the MRT and analyzing the density distribution of POIs on a map. In the MRT index, the Bloom filter and cryptographic multiset accumulator techniques are adopted to efficiently and effectively verify the correctness of the query process in the cloud server. Specifically, the data owner can achieve efficient verification in the majority of cases by using a Bloom filter and achieve effective verification in rare cases by using a cryptographic multiset accumulator (when false positive errors occur in the Bloom filter). Additionally, to ensure that the cloud server has traversed the entire MRT index when executing a range query and has not made any malicious modifications to the outsourced data, the MRT index incorporates hash techniques. Thus, the proposed scheme EVRQ can effectively achieve secure range queries for geographical information in an untrusted cloud environment.